Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
283
Views
0
Helpful
1
Replies

Accessing DMZ through a SSL VPN

fabiengermain
Level 1
Level 1

‎02-12-2007 09:18 AM

Hello,

I set up WebVPN on a 1811 router. It works fine to access the LAN (10.1.114.0/24), but I am unable to join the DMZ (192.168.22.0/24), whereas it works if I am physically connected to the LAN so I don't think it comes from my ACLs ! I can't understand why... I guess something dealing with tcp sessions, not "recognized" properly when coming from the VPN ? Here is the result of a "debug ip packet" from my SSL VPN connection to a mail server in the DMZ :

Feb 12 15:49:26.204: IP: tableid=0, s=10.1.114.146 (local), d=192.168.22.7 (Vlan22), routed via FIB

Feb 12 15:49:26.204: IP: s=10.1.114.146 (local), d=192.168.22.7 (Vlan22), g=192.168.22.7, len 48, forward

Feb 12 15:49:26.204: TCP src=2086, dst=25, seq=854948936, ack=0, win=65535 SYN

Feb 12 15:49:26.204: %SEC-6-IPACCESSLOGP: list 102 denied tcp 192.168.22.7(25) -> 10.1.114.146(2086), 1 packet

Feb 12 15:49:26.204: IP: s=192.168.22.7 (Vlan22), d=10.1.114.146, len 48, access denied

Feb 12 15:49:26.204: TCP src=25, dst=2086, seq=2435898321, ack=854948937, win=5840 ACK SYN

Labels:
0 Helpful
1 Reply 1

thomas.chen
Level 6
Level 6

‎02-16-2007 12:55 PM

The security appliance receives the packet and because it is a new session, the security appliance verifies that the packet is allowed according to the terms of the security policy (access lists, filters, AAA) and check if you have applied a NAT policy.

0 Helpful
Customers Also Viewed These Support Documents